Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

Posted by samzenpus on from the heads-up dept.

blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

4 of 93 comments (clear)

  1. Monorail by sexconker · · Score: 5, Funny

    Well, sir, there's nothing on Earth
    Like a genuine, bona-fide
    Electrified, six-inch iPhone 6 Plus.
    What'd I say?

    iPhone 6 Plus!
    What's it called?
    iPhone 6 Plus!
    That's right! iPhone 6 Plus!

    iPhone 6 Plus.
    iPhone 6 Plus.
    iPhone 6 Plus.

    I saw those leaks they had me wowed.
    We've made some changes to iCloud.
    Is there a chance the phone could bend?
    Not on your life, my hipster friend.

    What about us brain-dead slobs?
    You'll just worship Mr. Jobs.
    What's the point of that huge bezel?
    Just more space for fans to revel.

    16 gigs is too little space.
    Pay the upcharge to keep pace.
    I swear this phone's your only choice,
    Throw up your hands and raise your voice.

    iPhone 6 Plus!
    What's it called?
    iPhone 6 Plus!
    Once again.
    iPhone 6 Plus!

    But iOS is still shitty and broken.
    Sorry, Slashdot, the mob has spoken.

    iPhone 6 Plus!
    iPhone 6 Plus!
    iPhone 6 Plus!
    iPhone 6 Plus!

    iPho, d'oh!

  2. Re:Not Brute Force by aardvarkjoe · · Score: 5, Informative

    20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

    I find it hard to believe anyone was actually vulnerable to this.

    While you're correct that 20,000 attempts is too small to "brute-force" a password (by trying all combinations of characters), it's plenty to do a dictionary attack. If you can try 20,000 popular passwords on a whole bunch of accounts, you'll almost certainly be able to break some of them.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  3. Re:celebgate by Anonymous Coward · · Score: 5, Insightful

    Are you an iDiot or an iFan?

    My bank allows only five mistakes before locking my account or swallowing my card. I have insurance for my car. If someone steals it (and it happened to me once), it's just a minor annoyance. As for my house, even if it's only a lock and an alarm, the moment the alarm goes off, I'll first get a call from ADT, then the police will come to check it out if I don't answer (most alarm companies here pay the local police to treat their call as a priority call).

    As the OP said, protecting against brute force attack is basic security. This is another major screw up from Apple.

  4. Re:Not Brute Force by Eythian · · Score: 5, Insightful

    Probably he stopped there. It's enough to be fairly sure there's no brute force protection in place.